From 7edc58b727781ac6a1097ebe4b8789f4afcfc02d Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 20 Feb 2018 16:11:07 -0500
Subject: [PATCH] stricter Referrer-Policy to reduce unintended information
 leakage

---
 src/middleware/headers.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/middleware/headers.js b/src/middleware/headers.js
index 035608eab6..d63f163d7c 100644
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@@ -11,6 +11,7 @@ module.exports = function (middleware) {
 			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
+			'Referrer-Policy': 'strict-origin-when-cross-origin',	// consider using helmet?
 		};
 
 		if (meta.config['access-control-allow-origin']) {